Being Prepared: Operational Resilience Regulation for Financial Institutions

2021 has been a disruptive year for banks, insurers, asset managers and payments firms. But what is expected of regulated firms and how do you achieve operational resilience ?

Operational Resilience is a current priority for banks, financial institutions and insurance firms especially as the deadline to meet the UK requirements is 31st March 2022.

In March 2021 the rules around Operational Resilience were finalised and published jointly by the Bank of England, Prudential Regulatory Authority (PRA) and Financial Conduct Authority (FCA) – see links to the regulation citations below:-


Short Name

Long Name


Financial Conduct Authority

PS 21/3

Building operational resilience:

Feedback to CP19/32 and final rules


Financial Conduct Authority

SYSC 15A.2

SYSC15A.2 Operational resilience requirements


Financial Conduct Authority


SYSC TP10 Operational resilience


Prudential Regulation Authority

PS 6/21

Operational resilience: Impact

tolerances for important business





Prudential Regulation Authority

SS 1/21

Operational resilience: Impact

tolerances for important

business services






Bank of England

Statement of Policy Operational resilience

Statement of Policy Operational resilience


Bank of England






Also in March 2021 the Basel Committee on Banking Supervision published its Principles for Operation Resilience :-

and… in April 2021 the Central Bank of Ireland published a consultation paper around its proposals for regulating Irish FS firms, with final rules likely to follow later in 2021 with Compliance required within 2 years of the final rules being published :-

Ensuring the financial sector is operationally resilient is important for regulators, customers, banks and financial institutions.  Many factors can cause problems for consumers and businesses threatening their viability and finances.  

The coronavirus (Covid-19) has shown why it’s so critical for firms to understand the services they provide and strengthen their resilience.  Covid 19 was an event outside of all firms control, and highlights how disruptions of this nature can have an enormous impact.  UK firms had some warning but not all disruptions will provide the same.  With Covid 19 firms were impacted more or less at the same time but depending on your industry depends how gravely you were affected.  The world is unlikely to have a similar set of circumstances again, and if you are a firm that has survived the pandemic, how prepared are you for the next disruption?

PRA/FCA requirements for UK FIs to be met by 31st March 2022.  So what next steps are recommended to follow ?

  •       Businesses should identify their important business services 
  •       Set an impact tolerance for each important business service which should include the first point in time following a disruption to the service which would pose an intolerable risk:

o   of harm to consumers or market participants;

o   of harm to market integrity;

o   to policyholder protection (for insurers);

o   to the firm's safety and soundness; or

o   to financial stability

  •       Identify any weaknesses in their operational resilience, document in the annual self-assessment and then seek funding to close.
  •       After 31 March 2022 and no later than 31 March 2025 firms must have testing in place to remain within impact tolerances for individual business services (based on “plausible but severe scenarios”)
  •       Necessary investments must be sought to operate consistently within the impact tolerances from April 2022 (by end March 2025 at the latest)

Key Terms :-

  • Important business service: means a service provided by a firm to an external end user or participant where a disruption to the provision of the service could cause intolerable harm to consumers or market participants; harm market integrity; threaten policyholder protection; safety and soundness; or financial stability.
  • Impact tolerance: means the maximum tolerable level of disruption to an important business service, including the maximum tolerable duration of a disruption.
  • Scenario testing: is the testing of a firm’s ability to remain within its impact tolerance for each of its important business services in the event of a severe but plausible disruption of its operations. In carrying out the scenario testing, a firm must identify an appropriate range of adverse circumstances of varying nature, severity and duration relevant to its business and risk profile and consider the risks to delivery of the firm’s important business services in those circumstances.
  • Mapping: a firm must identify and document the necessary people, processes, technology, facilities and information (referred to as resources) required to deliver each of its important business services.


  •       Standing up a project team of subject matter experts across different business areas to begin or progress the work required in the timelines specified.
  •       Documenting the proof that will be required  - Evidence will be required highlighting that the firms concept behind decisions is reliable (e.g. board approval of approach, documented important business service mapping, impact tolerances, “plausible but severe” scenario testing, annual self-assessment to be made available to UK regulators end March 2022.)
  •       All businesses will be required to carry out their own program of work around Operational Resilience and to embed into BAU going forward.
  •       A variety of scenarios will need to be tested, firms must cater for every eventuality and ensure they get it right (“Sever but plausible”)
  •       Responsibility must be taken for the delivery process (who will own/lead – Tech, Ops, Business Continuity, the business – best practice to date includes all areas impacted, board to own/approve)
  •       Management need to take the lead and define processes in their preparation (and report schedule with the UK board to review/approve)

Why should you put Operational Resilience high on your agenda

  •       For many firms there still remains a lot to tackle to ensure operational resilience before the deadline and it is unlikely many will get it right the first time.
  •       Put a plan(s) in place so you are prepared
  •       Time is running out - there is a lot to do before 31 March 2022 – don’t leave it too late as the timeline proposed for compliance is closer than you think
  •       Do you know the full extent of what needs to be done?
  •       Regulations are also coming in Ireland later this year - get a head start now so what gets done for the UK can also be replicated in Ireland.

All businesses, especially management, need to adopt a sense of urgency and put this at the forefront, ensuring they keep in line with the expectations of the UK regulatory authorities.

But what does this mean for a FS CIO?

  •       How are CIO’s feeling about another operational failure?
  •       Within your firm are you solely responsible or have you split responsibility?  Do you feel a split reinforces a damaged corporate culture between technology and the business?
  •       If others are accountable; do you agree this may be too daunting for Manager level and are they well enough equipped to ensure the business strategy is properly informed by operational resilience considerations?
  •       What happens when your strategic decisions are made outside the UK?
  •       In the event of a failure who is truly accountable?
  •       How confident are you that the funding required to close gaps in meeting impact tolerances will be funded between March 2022 and March 2025 ?

Are you “ahead of the pack” on your efforts around Operational Resilience?………..